The General Services Administration (GSA) Federal Acquisition Service has released draft contract terms and conditions related to artificial intelligence (AI)-related procurements through a new proposed GSAR clause 552.239-7001, “Basic Safeguarding of Artificial Intelligence Systems (FEB 2026) (GSAR Deviation), that would impose material new requirements on contractors and service providers supplying artificial intelligence capabilities to the federal government. If adopted, the clause would be inserted into all solicitations and contracts for AI capabilities and would govern data rights, disclosure obligations, security protocols, and performance standards for AI systems used in federal operations. Federal contractors, technology vendors, and their in-house operations and counsel teams should closely review the proposed terms, as they represent one of the most comprehensive efforts to date to regulate the procurement and use of AI systems across the federal enterprise.

Key Takeaways

  • Under the proposed clause, the government would retain full ownership of all data inputs, data outputs, and custom developments generated through the AI system, with contractors receiving only a limited, revocable license to use such data for contract performance.
  • Contractors and service providers are strictly prohibited from using government data to train, fine-tune, or improve AI models for any purpose outside the specific contract — including for other customers or commercial products.
  • Only “American AI Systems” — developed and produced in the United States — may be used in contract performance, requiring supply-chain diligence on all AI components.
  • Contractors must disclose all AI systems used in contract performance, including any configurations for non-U.S. regulatory frameworks, within 30 days of award.
  • An “eyes off” data handling standard limits human review of government data, and all government data must be logically segregated from non-government customer data.
  • Security incidents must be reported within 72 hours, with daily updates and a 90-day artifact preservation obligation.
  • The government reserves the right to benchmark AI systems for bias, truthfulness, and safety at any time — without disclosing its methodologies — and may suspend use or terminate for cause if the contractor fails to meet “Unbiased AI Principles.”
  • The clause provides that it controls over any conflicting contractor or service provider policies, terms, or commercial agreements.

Background

The proposed clause is issued under Part 539 of the GSAR (Acquisition of Information and Communication Technology) and would apply broadly to any contract involving AI capabilities procured through GSA. The clause defines “Artificial Intelligence (AI) System” by reference to the Advancing American AI Act, section 7223(4) of Public Law 117-263, and introduces a series of defined terms — including “Custom Development,” “Data Inputs,” “Data Outputs,” “Government Data,” and “Service Provider” — that form the backbone of its substantive requirements. Notably, the clause establishes that in the event of any conflict between the clause and any contractor or service provider policies, terms, conditions, or commercial agreements, the clause controls.

The clause also imposes direct responsibility on prime contractors for the compliance of any service provider whose AI system is used in the performance of the contract, even where that service provider is not a party to the contract.

Key Provisions

The proposed clause addresses six principal areas of concern for the federal government in procuring AI systems: intellectual property and data rights, data handling and security, contractor disclosure and compliance obligations, privacy protections, data portability, and AI performance and evaluation standards.

  • Intellectual Property and Government Data Rights. The clause establishes that the government retains full ownership of all “Government Data” — defined to include both Data Inputs (such as prompts, queries, source data, and uploaded documents) and Data Outputs (such as responses, analyses, derivative data, and metadata) — as well as all Custom Developments. Contractors and service providers receive only a limited, revocable, non-exclusive, non-transferable license to use Government Data and Custom Developments solely for the purpose of performing the contract, providing technical support, or as otherwise expressly authorized in writing by the contracting officer. To the extent a contractor or service provider obtains any intellectual property rights in Government Data or derivative works, those rights are automatically assigned to the government upon creation. Contractors retain ownership of their underlying AI systems and base models.
  • The clause further requires contractors to grant the government an irrevocable, royalty-free, non-exclusive license to use the AI system for any lawful government purpose during the contract term, including the right to input data, receive outputs, allow authorized personnel to use the system, and integrate it with government systems. Critically, the AI system must not refuse to produce data outputs or conduct analyses based on the contractor’s or service provider’s discretionary policies, although the clause does not require retraining of the model or alteration of model weights.
  • Prohibited Uses of Government Data. The clause strictly prohibits contractors and service providers from using Government Data in several key ways. These include using Government Data to train, fine-tune, or otherwise improve a large language model or other AI model — including for third parties — or to develop or improve AI systems for any other customer or for any commercial or non-commercial purpose. Government Data also may not be used for targeting government or non-government entities or for informing the contractor’s advertising, marketing, sales, monetization, strategy, or other business decisions. Retention, access, or use of Government Data beyond the scope and duration expressly permitted in the contract is prohibited.
  • Data Handling, Security, and Localization. Contractors and service providers must implement reasonable technical, administrative, physical, and organizational safeguards to protect Government Data. The clause imposes an “eyes off” data handling standard, restricting human review of Government Data except as strictly necessary for system functionality or incident response, with all human access to Government Data logged, justified, and limited to the minimum necessary. Contractors must provide tools enabling the government to maintain detailed records of all processing activities involving Government Data. Data localization requirements prohibit the removal or transmission of Government Data from agreed-upon premises or authorized services without express written consent from the ordering agency. Government Data must be logically segregated from the data of non-government customers and protected through access controls, encryption, labeling, and continuous monitoring.
  • Upon contract completion, termination, or expiration, the contractor and service provider must securely delete all Government Data and Custom Developments from the AI system and all other systems, backups, and derivatives, and certify such deletion in writing to the contracting officer.
  • Custom Developments and Model Rights. Custom Developments — including any customized or enhanced models — must be dedicated to the government’s exclusive use and treated as the government’s confidential information. Contractors may not use, reproduce, or derive benefit from Custom Developments for any other purpose or party without the contracting officer’s express written authorization. The government also retains ownership of all feedback provided to the contractor or service provider with respect to the AI system or Custom Developments, and feedback that includes Government Data may not be used for system improvement or any other purpose outside performance of the contract.

Disclosure, Compliance, and Reporting Obligations

The clause imposes significant affirmative disclosure and compliance obligations on contractors.

  • AI System Disclosure. Contractors must disclose all AI systems used in the performance of the contract to the ordering contracting officer, including whether any AI system has been modified or configured to comply with any non-U.S. government or commercial compliance or regulatory framework, no later than 30 days after award (or earlier if requested).
  • American AI Systems Mandate. The clause mandates that contractors and service providers use only “American AI Systems” — defined as AI systems developed and produced in the United States, as referenced in OMB Memorandum M-25-22. The use of foreign AI systems in contract performance, including AI components manufactured, developed, or controlled by non-U.S. entities, is prohibited.
  • Human Oversight and Transparency. Contractors must provide a means for the government to implement human oversight, intervention, and traceability. If the AI system uses intermediary processing (such as reasoning, retrieval, or agentic processes), the system must summarize intermediary steps from data input to data output and make that information accessible through data output, audit trail, and, as applicable, the user interface. At a minimum, the AI system must include summarized intermediate processing actions and decision points, model routing decisions with rationale, and data retrieval methods employed (including complete source attribution with direct links and relevant excerpts).
  • Incident Reporting. Contractors or service providers must complete the CISA incident reporting form and notify the contracting officer and any government-provided points of contact as soon as possible — but no longer than within 72 hours — of the discovery of any confirmed or suspected security incident, and must provide daily status updates until resolution. Notifications must include the nature and scope of the incident, data potentially affected, immediate remediation steps, timeline for full resolution, and measures to prevent recurrence. Contractors must also preserve all relevant logs, forensic images, and incident artifacts for a minimum of 90 calendar days from a security incident involving Government Data to support law enforcement investigation.
  • Documentation. Upon government request and under appropriate confidentiality protections, contractors must provide existing commercial documentation sufficient to demonstrate compliance, including documentation of AI system decision-making processes and operational parameters, system documentation consistent with the NIST AI Risk Management Framework, privacy controls effectiveness, testing methodologies for bias detection, known biases and limitations, and any other information necessary for the government to complete an AI Impact Assessment under OMB M-25-21.

Privacy, Data Portability, and Interoperability

The clause requires contractors and service providers to provide tools enabling the government to implement automated detection mechanisms and user notifications to manage, prevent, and reject the entry or persistence of personally identifiable information (PII) within the AI system. Contractors must ensure the use of open and standard data formats and application programming interfaces (APIs) for all Data Outputs, Custom Developments, and AI systems, and must not use proprietary technologies or formats that require additional licensing or create vendor dependencies. The clause also requires tools enabling government customers to export all Government Data and content — including conversational history, uploaded documents, media files, and custom knowledge bases — in open, machine-readable formats.

Unbiased AI Principles and Performance Standards

The clause introduces “Unbiased AI Principles” requiring contractors to make commercial efforts to ensure that the AI system is truthful in responding to user prompts seeking factual information, prioritizes historical accuracy, scientific inquiry, and objectivity, and acknowledges uncertainty where reliable information is incomplete or contradictory. The AI system must be a “neutral, nonpartisan tool” that does not manipulate responses in favor of ideological dogmas, and contractors must not intentionally encode partisan or ideological judgments into Data Outputs.

The clause reserves the government the right to conduct automated assessments of the AI system at any time using its own benchmarks, evaluating bias, truthfulness, safety, unsolicited ideological content, and other factors. Contractors must provide tools and interfaces enabling the government to run its benchmarks in an automated fashion. All benchmarks, test data, and methodologies developed or used by the government are considered Government Data, and the government is under no obligation to disclose its underlying data or methodologies.

Enforcement Mechanisms and Timelines

The proposed clause includes several notable enforcement and compliance mechanisms. The government retains the right to suspend use of the AI system until performance issues are satisfactorily addressed. If the agency terminates the contract for cause due to failure to comply with the Unbiased AI Principles, the contractor must be liable for reasonable decommissioning costs.

Contractors must provide at least 30 calendar days’ written notice before any planned material change to the AI system, including changes to models, algorithms, safety guardrails, or behavioral constraints impacting lawful usage or the performance or truthfulness of outputs. Similarly, contractors must provide at least 30 calendar days’ notice before adding a new service provider or materially changing an existing service provider used in contract performance.

The order of precedence provision establishes that this clause controls in the event of a conflict with any contractor or service provider policies, requirements, or commercial agreements. Additionally, the clause provides that when placing an order under contracts that include this clause, the parties may bilaterally supplement or revise certain paragraphs — specifically those governing intellectual property, privacy, data portability, and change management — on an order-specific basis.

Practical Implications for Federal Contractors

The proposed clause would significantly alter the landscape for companies providing AI capabilities to the federal government. Several implications merit particular attention.

First, the expansive definitions of “Government Data,” “Data Inputs,” and “Data Outputs” sweep broadly to encompass virtually all data flowing into or out of the AI system in connection with government use. Companies that provide commercial AI products to multiple customers — including both government and private-sector clients — will need to evaluate whether their existing data architectures can accommodate the strict segregation, “eyes off” handling, and deletion requirements imposed by the clause.

Second, the prohibition on using Government Data to train, fine-tune, or improve AI models for any purpose outside the specific contract could require significant re-engineering of how commercial AI vendors manage training pipelines and feedback loops. This provision, combined with the government’s retention of ownership over all feedback, may constrain contractors’ ability to improve their commercial products based on government usage patterns.

Third, the “American AI Systems” mandate introduces a supply-chain dimension that will require careful diligence on the origin and development of AI “components”. Contractors using AI models, components, or infrastructure developed or controlled by non-U.S. entities, even where such components are embedded in a broader U.S.-developed product, will need to assess their ability to comply with these terms.

Fourth, the human oversight, transparency, and source attribution requirements may pose challenges for contractors which maintain AI systems that rely on proprietary architectures or opaque processing pipelines. Contractors should evaluate whether their systems can meet the requirement to summarize intermediary processing steps, model routing decisions, and retrieval methods with full source attribution.

Fifth, the clause’s requirement for Unbiased AI Principles and the government’s reserved right to conduct its own benchmarking assessments — with no obligation to disclose methodologies — create a compliance environment in which contractors may have limited visibility into the standards against which their systems will be judged. The potential for contract suspension or termination for cause, including liability for decommissioning costs, underscores the stakes of noncompliance.

For questions about this executive order and its implications for federal contracting, AI use, cybersecurity requirements, and False Claims Act compliance, contact the authors or members of the firm’s False Claims Act, Government Contracts, or Data Privacy and Cybersecurity teams.